""ET TROJAN Possible Upatre Downloader SSL certificate""

SID: 2017816

Revision: 4

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2013_12_06

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: 443

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "|2a 86 48 86 f7 0d 01 09 01|"

Within:

PCRE: "/^.{2}(?P([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+).).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"

Special Options:

source